Integration / OpenCode
Let OpenCode sign up for websites and keep API keys out of context
Connect Trusty Squire as a local OpenCode MCP server. OpenCode plans the development job while Trusty Squire operates the real website and stores generated credentials behind a write-only boundary.
npx @trusty-squire/mcp connect --target=opencodeInstallation guide →Ask for the outcome
“Use Trusty Squire to sign up for Resend and wire the API key into my app.”
“Set up Clerk without putting its secret key in this chat or .env.”
“Sign in to Sentry and configure the webhook this project needs.”
How it works
- 01
Run the OpenCode target
The connect command signs this machine in and adds a local squire server to OpenCode's effective global JSON or JSONC configuration.
- 02
Restart OpenCode
Start a fresh OpenCode session so it connects to the server and loads the Trusty Squire MCP tools.
- 03
Ask for the website outcome
Name the service and the setup your application needs. OpenCode plans the work and calls Trusty Squire for browser and credential operations.
What to know
Your OpenCode settings and comments stay intact
OpenCode normally reads ~/.config/opencode/opencode.json or opencode.jsonc. The installer respects custom OPENCODE_CONFIG and XDG_CONFIG_HOME locations, then makes a targeted JSONC-aware edit. It preserves surrounding comments, models, providers, permissions, plugins, and unrelated MCP servers while refreshing the managed squireentry. That entry uses OpenCode's command-array format and a 30-second startup timeout. Account and session tokens are never written to this configuration.
Control when the MCP tools are available
OpenCode exposes enabled MCP tools to the model. Set the squire server's enabled field to false when you do not need it, or use an OpenCode permission such as "squire_*": "ask" when you want approval before its tool calls. The installer does not overwrite your permission policy.
The provider key remains behind the vault boundary
Trusty Squire's credential tools return references and authenticated results, not stored plaintext. The provider key does not need to enter OpenCode's transcript, generated source, or local .env. Browser diagnostics can still contain whatever a website visibly renders, so avoid re-observing a page after it displays a secret.
Does Trusty Squire work with OpenCode?
Yes. Trusty Squire runs as a local stdio MCP server, and the connect command adds it to OpenCode's global MCP configuration.
Where does Trusty Squire configure OpenCode?
It updates the effective OpenCode global JSON or JSONC config, respecting OPENCODE_CONFIG and XDG_CONFIG_HOME. Existing settings, surrounding comments, and other MCP servers are preserved.
Can OpenCode use an API key without putting it in .env?
Yes. Trusty Squire's credential tools use vault references and server-side injection instead of returning the stored provider key to OpenCode. A separately issued app grant token can enter context and must still be handled as a backend secret.
Can OpenCode automate every website signup?
No. Trusty Squire stops when a site requires a phone, hard CAPTCHA, payment, or a decision that belongs to a person instead of guessing or claiming success.